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TITLE: Method of improving the security of postage meter machines 
Brief Summary Text (50) : 

The EPROM accepts the majority part of the program code and makes an external 
program code available to the microprocessor via the microprocessor bus. Since, 
however, the program variables are additionally stored in the internal OTP-RAM, a 
security-associated encapsulation of the program execution is achieved. Program 
executions having different security levels can thus be designationally realized 
with an OTP processor. A faulty or manipulated postage meter machine remains 
completely in the OTP-ROM with its program execution and cannot be forced into 
different operating modes. 

Detailed Description Text (13) : 

A start security check routine is undertaken, which checks the most important, 
externally maintained postage meter machine data and external program code 
completely encapsulated in the internal ROM and RAM area of the OTP with its 
program code. This security check routine can thereby recognize manipulations-- 
without an external possibility of influencing with manipulative intent thereby 
existing—that had been implemented during the deactivated condition of the postage 
meter machine and can then effectively inhibit further operation of the postage 
meter machine if the check routines are not run error -free . In this case, the 
program execution remains in an endless program loop in the OTP-ROM (error handing 
1030) . The external storage media are used by the MP (read EPROM, write RAM) only 
after the checks have been run error -free and the system routine 200 is reached. 

Detailed Description Text (94): 

The control unit 6 is a microprocessor or an OTP processor. In addition to a 
microprocessor, non-volatile memories and further circuits are accommodated in a 
common housing in the OTP. The internal, non-volatile memory, for example, includes 
program memories and, in particular, also allows the possibility of setting 
security bits that prevent the read-out of the internal non-volatile memory toward 
the outside. These security bits are set in the OTP during the manufacture of the 
postage meter machine. Following such security-associated routines such as, for 
example, accounting routines with an emulator/debugger would likewise lead to a 
modified time execution which can be identified by the OTP processor. This also 
includes a clock generator /counter circuit for the prescription of time intervals 
or clock cycles, for example, for the time-out generation or printer control. When 
a specific time has elapsed and the anticipated event has not occurred, the clock 
generator/counter circuit generates an interrupt that reports the result -free 
expiration of the time span to the microprocessor, whereupon the microprocessor 
initiates further measures. Inventively, the clock generator/counter circuit is 
utilized for monitoring program running time. A known number of clock cycles for 
the program execution of predetermined program parts is thereby used. Before the 
start of the routine, the counter of the clock generator/counter circuit is pre-set 
or reset in a predetermined way. After the start of the program routine, the 
counter reading is continuously modified corresponding to the clock pulses of the 
clock generator. After processing the critical, predetermined program parts, the 
status of the counter is interrogated by the microprocessor and is compared to the 
anticipated value. When a predetermined deviation in the running time of critical 
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or, respectively, security-associated program parts is exceeded, the postage meter 
machine can thus no longer be operated for franking (kill mode 1) . When a 
manipulator performs an unauthorized operation, the postage meter machine is 
effectively shut down during the running time by being converted into the first 
mode . 

Detailed Description Text (96) : 

During times in which printing is not carried out (standby mode) that an inquiry 
ensues in view of manipulation attempts and/or the checksum of the register 
readings is formed and/or is formed over the content of the program memory PSP 11. 
In order to improve the security against manipulation, the checksum is thereby 
formed for a kill mode 2 in the OTP over the content of the external program memory 
PSP 11 and the result is compared to a predetermined value stored in the OTP. This 
preferably ensues in step 101 when the postage meter machine is started or in step 
213 when the postage meter machine is operated in standby mode. The standby mode is 
reached when a predetermined time elapses without an input or a print request . The 
latter occurs when a letter sensor of a known type — not shown in detail — does not 
identify a next envelope that is to be franked. Step 405 — shown in FIG . 5 — in the 
franking mode 400 therefore also includes a further inquiry about a time lapse, 
whereby a time transgression ultimately leads again to point e, and thus to the 
input routine according to step 209. When the interrogation criterion is met, a 
standby flag is set in step 408 and a direct 'branch is made back to the point s to 
the system routine 200 or the point t without running through the accounting and 
printing routine in step 406. The standby flag is interrogated later in step 211 
and is reset in step 213 after the checksum check when no manipulation attempt has 
been recognized. 

Detailed Description Text (98) : 

In order to further enhance the security against manipulations, a flow control is 
inventively utilized that is set forth below. Such a flow control ensues by 
modifying a numerical value in a memory at at least one point during the 
implementation of the program routine. After the execution of the program routine, 
the modified numerical value is compared to a predetermined numerical value 
allocated to this program routine. When branchings are executed during the program 
run, different numerical values will result . A plausibility test is implemented in 
a following evaluation or a determination can be made as to what branchings were 
executed. This is achieved by the modification of the numerical value ensuing by a 
multiplication by a specific prime number allocated to the respective program part. 
A prime number resolution merely has to be implemented then in a later evaluation. 



h e b b eg b cc e 



Record Display Form 



Page 1 of 3 



First Hit Fwd Refs 



□ ; Generate Collection J j Print 



L10: Entry 15 of 21 



File: USPT 



Sep 8, 1998 



US-PAT-NO: 5805711 

DOCUMENT- IDENTIFIER: US 5805711 A 

TITLE: Method of improving the security of postage meter machines 
DATE-ISSUED: September 8, 1998 
I N VENTOR- 1 N FORMAT I ON : 



NAME 


CITY 


STATE 


ZIP CODE 


COUNTRY 


Windel; Harald 


Berlin 






DE 


Reisinger; Frank 


Berlin 






DE 


Freytag; Claus 


Berlin 






DE 


Kubatzki; Ralf 


Berlin 






DE 


Hansel; Marcus 


Berlin 






DE 


Gunther; Stephan 


Berlin 






DE 


Bischoff; Enno 


Berlin 






DE 


Wagner; Andreas 


Berlin 






DE 


Zarges; Olav A. 


Berlin 






DE 


Berthold; Arndt 


Berlin 






DE 


Rieckhoff; Peter 


Berlin 






DE 



ASSIGNEE-INFORMATION : 

NAME CITY STATE ZIP CODE COUNTRY TYPE CODE 

Francotyp-Postalia AG & Co . Birkenwerder DE 03 

APPL-NO: 08/ 525923 [PALM] 
DATE FILED: September 8, 1995 

PARENT-CASE: 

RELATED APPLICATION The present application is a continuation-in-part of U.S. 
application Ser. No. 08/346,909 filed Nov. 30, 1994 ("Method for Improving the 
Security of Postage Meter Machines," Windel et al.), filed under the provisions of 
37 C.F.R. .sctn.1.53, now U.S. Pat. No. 5,671,146. 

FORE I GN-APPL- PRIORITY- DATA: 

COUNTRY APPL-NO APPL-DATE 

DE 43 44 476.8 December 21, 1993 

INT-CL: [06] H04_ L 9/00 

US-CL-ISSUED: 380/55; 380/2, 380/4, 380/23, 380/25, 380/49, 380/50, 380/51, 
705/401, 705/405, 705/408, 705/410 

US-CL-CURRENT: 380/55; 380/2, 380/51, 705/401, 705/405, 705/408, 705/410, 705/60, 



713/187 



h 



e b 



b g e e e f c 



e gh c 



e ge 



Record Display Form 



Page 2 of 3 



FIELD-OF-SEARCH: 380/2, 380/4, 380/23, 380/24, 380/25, 380/49, 380/50, 380/51, 
380/55, 380/59, 364/464.11, 364/464.14, 364/464.15, 705/401, 705/405, 705/408, 
705/410 

PRIOR-ART-DISCLOSED: 

U.S. PATENT DOCUMENTS 



Search Selected |[ Search ALL \ \ Clear | 





PAT-NO 


ISSUE-DATE 


PATENTEE-NAME 


□ 


3255439 


June 1966 


Simjian 


n 


4129302 


December 197 8 


Stone 


□ 


4251874 


February 1981 


Check, Jr. 


□ 


4347506 


August 1982 


Duwel et al . 


n 


4549281 


October 1985 


Eckert et al . 


n 


4746234 


May 1988 


Harry 


□ 


4785417 


November 1988 


Obrea 


□ 


4811234 


March 1989 


Storace 


□ 


4812965 


March 1989 


Taylor 


n 


4812994 


March 1989 


Taylor et al . 


□ 


4864506 


September 198 9 


Storace 


□ 


5077660 


December 1991 


Haines et al. 




5181245 


January 1993 


Jones 


n 


5243654 


September 1993 


Hunter 


□ 


5572429 


November 1996 


Hunter et al . 




5638442 


June 1997 


Gargiulo et al . 



US-CL 



364/464.14 
380/2 



FOREIGN PATENT DOCUMENTS 



FOREIGN-PAT-NO 

0 388 840 

0 388 839 

0 194 660 

0 516 403 

0 547 922 

0 576 113 

0 578 042 

0 647 925 

2 233 937 



PUBN-DATE 
September 1990 
September 1990 
March 1992 
December 1992 
June 1993 
December 1993 
January 1994 
April 1995 
January 1991 



COUNTRY 

EP 

EP 

EP 

EP 

EP 

EP 

EP 

EP 

GB 



US-CL 



OTHER PUBLICATIONS 



h eb bgeeef c eghc 



e ge 



Record Display Form 



Page 3 of 3 



"Asymmetrische Verschlusselung auf der Chipkarte, " Drews et al., Design & 
Elektronik vol. 4, Feb. 16, 1993, pp. 76-81. 

"Damit Geheimdaten vertraulich bleiben — Verschlusselungsalgorithmus IDEA lost DES 
ab," Bruggemann et al . , Elektronik, vol. 10 (1993) pp 84-93. 

ART-UNIT: 362 

PRIMARY- EXAMINER : Gregory; Bernarr E. 
ABSTRACT : 

A method for securing data and program code of an electronic postage meter machine 
against manipulation, having a microprocessor in a control unit of the postage 
meter machine for implementing steps for a start and initialization routine and 
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avoid pipeline delays. Execution units which generate their traps earlier in the 
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instructions should complete, using the ordering information available from the 
different execution units . The enable masks cover the different possibilities of 
trap or no trap for the execution units which produce later traps. The traps from 
the execution units providing a later trap indication then select from the possible 
enable masks depending upon whether or not a trap is indicated by such second group 
of execution units . The enable mask is then used to enable or disable the 
destination registers used by the different execution units for that group of 
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An improved method and apparatus for ordering traps in a multiscalar design to 
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of execution units . The enable mask is then used to enable or disable the 
destination registers used by the different execution units for that group of 
instructions . 

20 Claims, 4 Drawing figures 
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PRIMARY-EXAMINER: Chan; Eddie P. 

ASSISTANT-EXAMINER: Verbrugge; Kevin 

ATT Y -AGENT - F I RM : Murray; Susan Abate; Joseph P. 

ABSTRACT : 

A computer system includes a processor and a cache and memory management unit. The 
processor includes a means for retiring instructions in program order. The cache 
and memory management unit includes means for detecting when a translation has been 
evicted from a lookaside buffer and means for communicating eviction information to 
the means for retiring instructions in program order. The means for retiring 
instructions in program order includes means for holding a storage related 
instruction which causes a miss in the lookaside buffer or in the cache in a first 
pass of execution until the instruction becomes the oldest storage related 
instruction in program sequence and further includes means responsive to the 
eviction information for flushing all storage related instructions except the 
current storage related instruction. The system avoids the occurrence of misses in 
the buffer late in execution (e.g., PASS 2 or later), thus avoiding a necessity for 
complex recovery provisions. 

6 Claims, 8 Drawing figures 
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complex recovery provisions. 
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for retiring instructions in program order includes t^ t. ^ fox 
holding a storage related inatruction which causes a nun in 
the lookaside buSer or in the cache in a first pus of 
execution until the iascractixm becomes the oldest storage 
related inattvaioa in program sequence aid wither includes 
means responsive to the eviction information for finding all 
storage related instructions except the current storage related 
instruction. The system avoids the ooennence of rnusea in 
rfcfl buffer late in execution (e,&, PASS 2 or liter), thus 
avoiding a rwcea&ry ft* complex recovery provisions. 
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